PayPal Passkeys: Implement Passkeys like PayPal

• First available in Q4/2022 in the U.S. and then rolled out gradually to different countries and platforms
• Paypal passkeys enhance paypal login security against phishing and credential stuffing while offering a more convenient experience.
• Currently, passkeys are primarily for existing account logins, not initial sign-up for entirely passwordless accounts.
• Paypal passkey setup is done manually via the 'Login and Security' section in account settings.
• PayPal pioneered synchronizing passkeys between their website and native apps, supporting both synced and device-bound passkeys (though synced is more common).
• While offering a streamlined experience globally, implementation in Europe complies with PSD2/SCA, sometimes requiring additional verification steps despite using a passkey (paypal passkey 2fa context). PayPal leverages Conditional UI for seamless auto-fill login and provides clear user education. Early success includes improved login rates and reduced fraud, positioning PayPal as a leader for other financial institutions to follow.

More and more companies from a wide range of industries are stepping into a password-free world and implement passkeys. Through this series of articles, we aim to provide a comprehensive overview of the passkey user experience of those companies. This should enable you to incorporate these findings and enhance your product login accordingly. In each article, we focus on a single company. Today, we dive into PayPal.

Since October 2022, PayPal users in the U.S. have been able to create passkeys for their accounts, marking a significant step towards passwordless authentication in the payment industry. Following this initial launch, paypal passkeys have been successively rolled out in additional countries since early 2023. As one of the world's leading digital payment platforms with over 400 million users, PayPal's adoption of passkeys demonstrates a strong commitment to making online payments and transfers more secure and user-friendly. PayPal stands out as an early pioneer in the payment space, setting a positive example for other banks and financial institutions.

Disclaimer:

1. The initial analysis status was August 2023. This blog post was updated in late April 2025 to reflect the latest changes in PayPal's passkey implementation, noting what has changed since the initial analysis.
2. Please refer to the use cases to find the devices used for the analysis.
3. In this latest update (April 2025), we focused on the main OS & platform combinations and did not test every single variant in detail.

PayPal's decision to adopt passkeys is rooted in a clear strategic imperative driven by the inherent challenges of traditional password-based authentication in the digital payment landscape.

• Combating Cyber Threats: The digital payments environment is under constant assault from phishing attacks, credential stuffing (using stolen password lists to attempt login on other sites) and account takeover (ATO) fraud. Passwords are the weakest link, vulnerable to these pervasive threats. By adopting passkeys, which are cryptographically bound to the specific website and device, PayPal drastically reduces the attack surface for these common forms of fraud.
• Reducing User Friction and Abandonment: Traditional login flows, often involving complex passwords followed by One-Time Passcodes (OTPs) or security questions, create significant friction for users. Forgotten passwords lead to frustrating recovery processes, and multi-step authentication can cause users to abandon transactions, particularly on mobile devices. This friction directly hurts checkout conversion rates. Passkeys offer a streamlined, one-touch login experience using familiar biometric authentication or device PIN, dramatically reducing these pain points.
• Enhancing Security and User Experience: Fundamentally, PayPal seeks to solve the long-standing tension between security and convenience. Passkeys provide a way to deliver significantly stronger security than passwords while simultaneously offering a simpler, faster user experience. This dual benefit is critical for a platform handling sensitive financial transactions.
• Industry Leadership: As a founding member of the FIDO Alliance, the driving force behind the passkey standard, PayPal is committed to leading the industry towards more secure and user-friendly authentication. Being one of the first major payment platforms to roll out passkeys reinforces this leadership position and sets a benchmark for competitors and partners.

By addressing these key challenges and leveraging their position as a FIDO leader, PayPal positioned passkeys as a foundational technology for their future authentication strategy.

PayPal's implementation of passkeys includes several notable features and design choices that impact the user experience and security.

PayPal initiated its passkey journey with a phased rollout. Availability was first introduced in the U.S. in Q4 2022, initially for a subset of users via A/B testing, primarily focusing on Apple devices (iOS, iPadOS, macOS) accessing the website. This initial phase allowed PayPal to gather feedback and identify potential issues in a controlled environment.

Successive rollouts began in early 2023, expanding to Android devices (Android 9+) in the U.S. and later to key European markets like Germany and the UK in mid-2023. This gradual expansion strategy enabled PayPal to adapt to different platforms and regional regulatory requirements while minimizing risk. The rollout has continued since then, with PayPal actively working to accelerate global availability throughout 2025, citing positive outcomes from early adoption.

A significant highlight of PayPal's implementation is the ability to create and use passkeys within their native mobile apps for both Apple and Android devices. Furthermore, PayPal was among the first to enable seamless synchronization of passkeys between the website accessed via a browser and the corresponding native mobile app on the same or different devices (via cloud keychains like iCloud Keychain or Google Password Manager).

This synchronization means a user creating a passkey on their iPhone within the PayPal app can then use that same passkey to log in via Safari on their MacBook or even Chrome on a Windows PC (if synced via Google Password Manager), provided they have their iPhone nearby to approve the cross-device PayPal login. This greatly enhances user convenience and flexibility. Users can also choose to use device-bound passkeys, potentially stored on a hardware security key, although synced passkeys are the more common approach for most users due to ease of use and availability via device keychains.

PayPal quickly integrated Conditional UI, which significantly enhances the PayPal login experience. When a user navigates to the PayPal login page and clicks on the username input field, the browser or operating system's native passkey prompt automatically appears, suggesting the stored passkey for that site.

This eliminates the need for the user to manually remember or type their username, let alone their password. It provides a streamlined, almost one-tap login experience, leveraging the autofill capabilities inherent in the passkey standard. This focus on user convenience from the outset has been a key factor in promoting passkey adoption on the PayPal platform.

Within the account settings, specifically in the 'Login and Security' section, PayPal provides users with a clear overview of their registered passkeys. For each passkey, details such as the device on which it was created, its synchronization status (e.g. synced via iCloud Keychain), and the creation timestamp are displayed. This transparency helps users manage their passkeys and understand where and when they enabled this login method.

PayPal also provides clear guidance on deleting passkeys, explaining that they often need to be removed both locally from the device/keychain and from the PayPal server to be fully de-registered.

Recognizing that passkeys are a new concept for many users, PayPal has invested in user education. They consistently use the term "passkeys" and provide detailed explanations within the setup flow and in their dedicated FAQ section. This includes information on what passkeys are, how they work, the setup process, synchronization and deletion. By proactively addressing potential user questions and concerns, PayPal aims to build trust and encourage adoption of this new authentication method.

See the following screenshot that provides more insights into the correct 2-phased deletion process of passkeys.

• Occasional Platform/Browser Limitations (Historically): As noted in the initial analysis (August 2023), passkeys were not universally available across all device and browser combinations. For instance, Windows support was initially lacking. Update April 2025: This limitation has largely been addressed. PayPal passkeys are now supported on most major operating systems (iOS, macOS, Android, Windows 10+) and browsers (Chrome, Safari, Edge, Firefox), significantly improving availability and consistency.
• Local Deletion not always recognized: A minor technical drawback observed is that if a user deletes a passkey solely from their local device without also removing it from their PayPal account settings, the one-tap login button might still appear, potentially confusing the user. The display should ideally update immediately upon first detection of local deletion.
• No true Identifier-First Flow on Android (primarily Conditional UI / One-Tap): On Android, while leveraging Conditional UI is excellent for user experience, PayPal's primary login flow seems heavily geared towards this or a dedicated passkey button, rather than offering a traditional identifier-first flow that gracefully degrades if no passkey is found. While this protects against account enumeration, a more robust implementation might offer clearer paths for users without a passkey registered on that specific device. Also, it's unclear why on iOS it is implemented properly and while on Android it is not so.

PayPal's early adoption and rollout of passkeys have yielded positive results, demonstrating the tangible benefits of this technology for both security and user experience.

• Increased Login Success Rates: Initial reports indicated a significant increase in login success rates (+10%) for users opting into passkeys compared to traditional password methods. This highlights the reduced friction and fewer errors associated with password entry and recovery.
• Reduced Account Takeover (ATO) Fraud: Passkeys are highly resistant to phishing and credential stuffing, which are primary vectors for ATO fraud. PayPal reported a substantial reduction in ATO fraud attempts and successes (-70% reported in 2023) for users who had enabled passkeys, showcasing the strong security benefits.
• Faster Checkout Times: For users leveraging passkeys for login during the checkout process, the streamlined authentication flow significantly reduces the time taken to complete the transaction, with reports suggesting checkout times potentially dropping to around 5 seconds in ideal scenarios.

These early KPIs underscore the compelling business case for passkeys, proving they not only enhance security but also improve critical business metrics like conversion and fraud reduction.

Implementing passkeys in Europe as a bank, payment provider or financial service organizations presents unique challenges compared to regions like the U.S., primarily due to the stringent requirements of the European Union's Second Payment Services Directive (PSD2) and its mandate for Strong Customer Authentication (SCA).

PSD2 aims to enhance security for electronic payments within the European Economic Area (EEA) and the UK (which has incorporated similar rules). Its cornerstone is SCA, which requires most electronic payment initiations and certain account access actions to be authenticated using at least two independent factors from three categories:

• Knowledge: Something only the user knows (e.g., password, PIN - though static passwords alone are often insufficient).
• Possession: Something only the user possesses (e.g., a trusted device, a token, a phone receiving an OTP).
• Inherence: Something the user is (e.g., biometric data like fingerprint or facial recognition).

Furthermore, for remote transactions, SCA often requires Dynamic Linking, meaning the authentication must be specifically linked to the amount and payee of the transaction.

Synced passkeys are technically well-equipped to meet SCA requirements. A single passkey authentication action inherently combines two factors:

• Possession: The user possesses the device storing the private key.
• Inherence (or Knowledge): The user unlocks that device using biometrics (Inherence) or a device PIN/password ( Knowledge) to authorize the passkey usage.

However, there's no official guidance by regulators how the synced nature of synced passkeys and the possession factor match. Therefore, many European financial service organizations refrain from rolling out passkeys (yet) due to this uncertainty.

Please see also our other blog posts on PSD2 and passkeys for detailed reading:

• Device-Bound vs. Synced Passkeys
• Analysis of PSD2 & SCA Requirements
• What SCA Requirements Mean for Passkeys
• PSD3 / PSR Implications for Passkeys

PayPal's implementation in Europe appears adapted to fit within their existing SCA compliance infrastructure. Unlike the potential for a single-step passkey login in the U.S., European users may sometimes experience a multi-step process for login or sensitive actions:

1. Authenticate with Passkey: This replaces the password entry and satisfies two factors (Possession + Inherence / Knowledge).
2. Additional Verification (if triggered): Depending on risk assessment or new devices, the transaction amount or other SCA triggers, PayPal might still require an additional verification step, such as:

• Entering an SMS-delivered OTP.
• Approving a push notification via the PayPal mobile app.

This means that in certain European scenarios, the passkey acts as one part of the authentication process, but might not always eliminate the need for a subsequent distinct factor to fully comply with how SCA is interpreted and enforced for specific use cases. This contrasts with the ideal frictionless experience where the passkey is the entire authentication.

PayPal utilizes local storage or cookies to remember trusted devices where a synced passkey has been used, which reduces the frequency of these additional SCA checks in subsequent interactions, but initial or high-risk logins often require the extra possession proof.

PayPal recognizes the potential friction this layered approach introduces in Europe compared to other regions. As a result, they are actively advocating for an evolution of SCA rules. In early 2025, PayPal publicly recommended that SCA regulations should encourage authentication methods that can be performed entirely on a single device (like passkeys leveraged via a device's built-in authenticator), without mandating interaction with a separate device (like receiving an SMS OTP).

This advocacy signals PayPal's strategic goal to harmonize the user experience globally and achieve the full friction-reducing potential of passkeys within the European regulatory framework.

It's important to distinguish PayPal's passkeys from purely local biometric authentication within the PayPal native iOS / Android app. While passkeys often rely on biometric authentication (like Face ID or Touch ID on Apple devices, or fingerprint / face scan on Android) to authorize the use of the private key stored securely on the device, the passkey itself is more than just a biometric scan.

• Local Biometric Authentication: This method authenticates the user to the local device or app using biometrics. However, this alone doesn't cryptographically verify the user's identity to an online service like PayPal in a phishing-resistant way. It only proves that the person using the device is the legitimate owner.
• PayPal Passkeys: Passkeys use public-key cryptography. The biometric scan (or device PIN) unlocks the secure enclave on the device to access the private key. This private key is then used to sign a challenge from the PayPal server, proving possession of the key pair. This cryptographic process is phishing-resistant and verifies the user's identity to PayPal.

Therefore, while biometrics are often the user-friendly trigger for a passkey login, the underlying technology of the passkey provides the strong, phishing-resistant online authentication, unlike local biometric authentication alone.

See also our blog post on passkeys vs. local biometrics for more details.

PayPal's passkey authentication isn't limited to direct PayPal account logins. It can also be used via PayPal’s Payment Provider SDK in third-party checkout flows at merchant websites and apps. This allows merchants leveraging PayPal for payment processing to offer their customers a seamless, secure and passwordless authentication experience directly within their checkout flows. Utilizing passkeys through PayPal's SDK significantly streamlines the payment process, reduces friction, and enhances security by mitigating phishing risks and credential-stuffing attacks. For a comprehensive guide and technical details on implementing passkeys in third-party contexts, please refer to our dedicated article on third-party SDK integration with passkeys.

PayPal's technical implementation focuses heavily on leveraging modern passkey features to streamline the user experience, primarily through Conditional UI and dedicated passkey buttons.

• Conditional UI / One-Tap Login: As discussed, PayPal enables Conditional UI on their login page. When a user focuses on the username input field, the browser/OS automatically offers the passkey as an autofill option, presenting the user's email linked to the passkey. PayPal also utilizes a dedicated "Log In with Passkey" button, particularly visible when no username is pre-filled or on subsequent logins. This allows a PayPal login without typing any identifier first.
• No Traditional Identifier-First Flow on Android: On Android, PayPal's flow seems designed around the passkey as the primary method if one exists. There isn't a prominent, explicit identifier-first flow where a user types their email, and then the system checks for a passkey and potentially falls back to a password if none is found. While this design helps prevent account enumeration (attackers guessing valid email addresses), it might be less intuitive for users who provide their identifier and then need choose a login method (or in PayPal's case cannot use passkeys but only a password). For iOS, the identifier-first flow with automatic passkey login start was implemented properly.
• Native App Implementation: In the PayPal native apps, the passkey experience is even more integrated. Conditional UI is often triggered automatically when the app opens or navigates to the login screen, immediately presenting the user's email associated with the passkey and prompting for biometric authentication or PIN.
• Device Remembering and Subsequent SCA: PayPal implements logic to "remember" a trusted device after a successful passkey login, particularly within Europe to manage SCA compliance. This relies on local storage (cookies or app storage). If the user clears storage or explicitly opts out of the "remember this device" feature, subsequent passkey logins on that device might trigger additional SCA steps.

PayPal has published a comprehensive FAQ that provides a detailed explanation of passkeys and guides users through the setup process. This reflects their recognition of the need to educate users about the technology and functionality behind passkeys, as not everyone may be familiar with them yet.

To register new passkeys for your PayPal account, follow these steps:

1. Click the setting icon (web browser) or profile icon (app) in the top right corner
2. Click on Security (web browser) or Login and security (app)

3. Click on Passkey

4. Click on the Create a Passkey button

August 2023 Passkey Creation Explanation

Over time, PayPal improved their messaging and user copy when creating a passkey to the following

April 2025 Passkey Creation Explanation

Note that we have only performed the use cases with passkey-ready devices (e.g., no iPhone prior to iOS 16.0, no MacBook prior to macOS Ventura, no Windows device prior to Windows 10). We use the same PayPal account for every use case.

To initially set up the first passkey for our PayPal account, we click on 'Create a Passkey' as previously shown in section 3.

It is noteworthy that at this point the user is again informed about what passkeys are all about. This shows that PayPal wants to educate users who do not yet know passkeys.

After clicking on 'Create a Passkey', PayPal requires the confirmation of our identity through two-factor authentication.

August 2023

April 2025

Once this has been successfully verified, a passkey can be created, and the default Apple passkey pop-up appears that prompts us to use Face ID.

Once successfully registered, we receive a notification confirming the successful generation of the passkey.

In the 'Login and security' settings, we can now view details about the passkey or even remove it again. The properties include information about the device on which the passkey was created and whether it was synchronized, along with a timestamp for creation.

If you want to delete a passkey, PayPal offers great guidance to users that passkeys need to be deleted locally and on the server-side.

When using the same browser-operating system combination for which a passkey has already been stored, PayPal detects this and does not display the 'Create a Passkey' option. Only after the passkey has been removed from the device again, you can install a new one.

If we want to log in to the PayPal iOS app, we use the passkey previously created on this device. As soon as we open the app, the default Apple passkey pop-up appears that prompts us to use Face ID to log in. If the username input field is empty, the passkey window will not appear immediately, but due to the enabled conditional UI the stored passkey will be automatically suggested and pre-filled as soon as we click on the field.

After verifying our identity with Face ID, the passkey is successfully retrieved, granting us access to our account.

In August 2023, it was not yet possible to create a passkey on a MacBook (this is fixed in April 2025). However, we could log in with one that is synced on the Apple Keychain. In this use case, we retrieved the passkey that we registered on our iPhone in use case 1.

As soon as we enter the PayPal page in the browser, we are presented with the familiar Safari passkey pop-up. Here, we selected 'iPhone, iPad or Android device', which includes the iPhone on the keychain that holds the passkey from use case 1.

We scan the QR code with the device our passkey is stored on (in this case from use case 1).

After logging in with the passkey on the iPhone, we still need to confirm our identity with 2FA when we use it for the first time for our MacBook as well, before we are then logged into our PayPal account.

In this use case, we generate a passkey on an Android device using the PayPal app and store it in the Google Password Manager. The process for generating the passkey for the Android PayPal app is the same as the one for the iPhone PayPal iOS app, with the only difference being that we create the passkey on Android using Android's biometric touch capabilities instead of Face ID and that in this step it is possible to specify the Google account where the created master key will be stored. Once our fingerprint was successfully registered, we receive a notification confirming the successful generation of the passkey. The passkey is now displayed in the Passkeys section in the login and security settings.

Unlike the iPhone, the Android phone does not recognize that a passkey already exists on the device and continues to display the 'Create a Passkey' option. If users then want to set up a passkey, PayPal detects this and prevents the creation of a new and overwriting of an existing passkey.

Further, in August 2023, the phone does not recognize if there is already a passkey for another Android phone stored in the Google Password Manager and allows the creation of a second passkey. This has been fixed until April 2025.

If we want to log in to the PayPal Android app, we use the passkey previously created on this device. As soon as we open the app, the default Android passkey pop-up appears that prompts us to use Touch ID to log in. If the username input field is empty, the passkey window will not appear immediately, but due to the enabled Conditional UI the stored passkey will be automatically suggested and pre-filled as soon as we click on the field.

Android and Chrome

Native iOS App

iOS and Safari when starting to type username

iOS and Safari on page load

After verifying our identity with Face ID, the passkey is successfully retrieved, granting us access to our account.

PayPal has established itself as a clear frontrunner in the adoption of passkeys within the financial services and payment industries. Their early launch, phased global rollout and commitment to core passkey features like Conditional UI and providing a one-tap passkey login experience demonstrate a forward-thinking approach to enhancing both security and user experience.

By strategically positioning passkeys as a replacement for passwords, PayPal directly addresses prevalent threats like phishing and credential stuffing, leading to tangible benefits like reduced fraud and increased login success rates. The streamlined PayPal login process, often involving just a quick biometric scan, offers a significant usability improvement over traditional password and OTP flows.

While the integration of passkeys within Europe requires dealing with the complexities of PSD2 and SCA, sometimes resulting in multi-step authentication flows that differ from the ideal passkey experience, PayPal's active advocacy for regulatory evolution highlights their commitment to achieving a more harmonized and frictionless global experience. Their technical implementation, focusing on Conditional UI and native app integration, showcases best practices for passkey deployment.

PayPal's journey with passkeys provides a compelling blueprint for other banks, payment providers and financial institutions. It demonstrates that adopting this modern authentication standard is not only feasible in a highly regulated environment but also delivers significant security, business, and user experience advantages. As PayPal continues to accelerate its global passkey rollout in 2025 and beyond, they pave the way for a more secure and passwordless future for online payments. Hopefully, many others will follow their lead. Feel free to reach out for payment-related passkey questions.

What are PayPal Passkeys?

Paypal passkeys are a modern, secure way to log in to your PayPal account without needing a password. They use cryptography and are stored securely on your device (like your smartphone or computer) or in a cloud-synced passkey manager (like iCloud Keychain or Google Password Manager).

How do PayPal Passkeys improve security?

Paypal passkeys are phishing-resistant because they are tied to the specific PayPal website and cannot be tricked into working on fake sites. They also protect against credential stuffing and data breaches as your private key never leaves your device. This provides stronger security than traditional passwords and can replace less secure methods like SMS OTPs, acting as a robust form of 2FA.

How do I set up a PayPal Passkey?

You can set up a passkey from the "Login and Security" section within your PayPal account settings on the PayPal website or in the native mobile app. The process involves verifying your identity and then using your device's screen unlock method (like fingerprint or face scan, or device PIN) to create and save the passkey.

Can I use PayPal Passkeys on multiple devices?

Yes, if you use a passkey manager that syncs across devices (like iCloud Keychain for Apple devices or Google Password Manager for Android and Chrome), your PayPal passkey can be used for seamless PayPal login on all your synced devices. You might need to approve the login on another nearby device in some cases.

Do PayPal Passkeys replace passwords entirely?

For users who have set up a passkey, it provides a passwordless PayPal login. Currently, passkeys are primarily for logging into existing accounts and you cannot sign up for a new PayPal account without initially setting a password. However, the strategic goal is to move towards a passwordless future where passkeys are the primary authentication method.

Are PayPal Passkeys a type of 2FA?

Passkeys inherently provide multi-factor authentication (something you have - the device with the key, and something you are - biometrics, or something you know - device PIN). When used for PayPal login, they replace the password and serve as a very strong authentication method that can fulfill 2FA requirements. In Europe, due to SCA rules, an additional step might sometimes be required even after using a passkey.

Can I use a physical security key as a PayPal Passkey?

Yes, the passkey standard supports using FIDO2 security keys (like YubiKeys) to store passkeys. While less common for the average user compared to cloud-synced passkeys, this is a supported method for those who prefer a hardware-backed passkey.

Is PayPal Passkeys available in my country?

PayPal began rolling out passkeys in the U.S. in late 2022 and has been gradually expanding to other countries, incl. key European markets like Germany and the UK since mid-2023. PayPal is accelerating the global rollout in 2025. Check your account settings or PayPal's help center for the latest availability in your region.

What should I do if my PayPal passkey is not working?

If your PayPal passkey isn't working, first confirm your device and browser compatibility (Chrome, Safari, Edge, Firefox with latest updates). Try removing and re-adding your passkey via your account settings. Clearing cache or restarting your browser/device can also resolve common issues.

Are PayPal passkeys available in Australia?

Yes, PayPal has gradually expanded passkey availability to Australia since early 2024. Australian users can enable passkeys via the "Login and Security" section in their PayPal account settings. Ensure your device supports passkeys (iOS 16+, Android 9+, macOS Ventura, Windows 10+) for the best experience.

Which browsers support PayPal passkeys?

PayPal passkeys are widely supported across modern browsers, including Chrome, Safari, Edge, and Firefox. Ensure your browser is updated to the latest version for optimal compatibility and security.

How do I enable passkey login for PayPal?

To enable PayPal passkeys, log in to your account, navigate to "Login and Security," select "Passkeys," and follow the prompts to create and register your passkey using your device’s built-in biometric authentication or PIN.

Can I use PayPal passkeys with Firefox?

Yes, PayPal passkeys are supported in Firefox. Ensure your Firefox browser is updated to the latest version. You can create and manage passkeys through your PayPal account settings, using Firefox's native passkey support.

How does PayPal passkey QR code login work?

When logging into PayPal from a device without a stored passkey, you can scan a QR code displayed on-screen using a device that has your passkey. The QR code triggers authentication on your primary device, securely logging you in without entering passwords.

Is PayPal passkey available in the UK?

Yes, PayPal passkeys have been available in the UK since mid-2023. UK users can set up passkeys via their PayPal account settings and enjoy secure, passwordless logins across supported devices.

Can I use YubiKey for passkeys in PayPal?

Yes, PayPal supports hardware security keys like YubiKey for passkey authentication. You can register your YubiKey via PayPal’s passkey setup under "Login and Security," providing robust, hardware-backed security for your account.

Why do I need to provide a 2FA code after using passkeys?

In certain regions like Europe, regulatory requirements under PSD2/SCA may mandate an additional verification step even after successful passkey authentication. This additional 2FA step ensures compliance and enhances account security, especially for new or high-risk device logins.